Tuesday, October 19, 2010

Our customers frequently ask about how to integrate Oracle Access Manager authentication with Oracle Application Express. There is currently a thread on the Oracle Technology Network discussion forum, asking for this type of solution. It has always been my intention to present this as an official whitepaper and recommended solution from Oracle. However, I have been struggling with some Oracle Access Manager configuration issues and I simply did not want to delay any further. The "official" whitepaper and detailed instructions will have to come later.

Back in March, 2010, I took careful note of a message that Scott Spadafore on our team had sent to someone in Oracle Support. It was a generic solution for authentication via an HTTP header variable. A couple months ago, this question came up again and Tyler Muth provided me a slightly modified version of what Scott had originally authored. With some more minor modifications on my part, I can share this custom authentication scheme, which can be used with Oracle Access Manager and really any environment which will securely set a header variable to an authenticated username.

Back in your APEX application, make this new authentication scheme "current" for your application.

The custom authentication scheme should work in any version of Application Express. A gentleman from Oracle Consulting got this to work at a customer site using APEX 3.2 and OAM 10g. He very graciously put together a document detailing all of the steps he performed in Application Express and Oracle Access Manager to get this to work, which is invaluable to someone like me who is essentially OAM-ignorant. I've asked for his permission to share this document, and when/if I get his okay, I'll make it available from this blog.

7 comments:

Hello Joel, Thank you for your custom authentication scheme for integration OAM with APEX for SSO.

We have 2 application servers configured for one instance of APEX: WebLogic with listener and Oracle Application Server.Could you tell me is there any way to use OAM custom scheme (Weblogic) and scheme for Application Server for SSO simultaneously?

Are you saying that you wish to use the "old" SSO SDK with Application Server? I know that internally at Oracle they setup OAM to work with old SSO SDK applications - how they did this, though, I don't know.

I'll be honest with you - there has been no movement on any "official" white paper. But I can tell you that in Application Express 4.1, we will natively support header variable authentication - so this custom code in a custom authentication scheme in APEX goes away. And all that remains is configuration via Oracle Access Manager, which is really outside of our domain of expertise.

However - you're not alone in your requirement. Oracle Support is getting more and more requests for configuration with OAM 11g (and not OAM 10g, as is in this Word document). If a configuration document is produced there (and it may be), I will certainly publicize it.

Just wanted to let you know that this "official" whitepaper is now available on OTN at http://www.oracle.com/technetwork/developer-tools/apex/learnmore/index.html, in the "Technical Information and White Papers" section at the bottom.

I'm not sure what type of setup you're looking for. To be able to exploit this in APEX, it's as simple as choosing the authentication scheme of HTTP Header Variable and specifying the name of the header variable.

Many identity management solutions, like Oracle's Access Manager or even SiteMinder all will protect a set of URLs and then transmit the authenticated username in an HTTP header variable.